How to use Cloudtrail to get who created IAM user

amazon-web-services cloud amazon-cloudtrail
  • If the IAM user was created inside the last 90 days, you can find who created the user using CloudTrail Event history.
    • Using the AWS CLI: aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateUser --region us-east-1
    • Using the Console: Go to Event History in CloudTrail Service, choose the EventName filter with a value of CreateUser. You have to use the region us-east-1 to view the events.
  • If the IAM user was created outside the 90 days time window, you can still find out who created the user if you have a trail enabled in CloudTrail. You can use Amazon Athena or some other method to search the log files created by CloudTrail in S3.

References:

  • https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-cli.html (Note the disclaimer for global services post November 22, 2021)
  • https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events-console.html
  • https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html

Related

How to rebuild this query using joins
how to add new input row on dataframe?
How to encode my data to utf-8 and read the text
Reserve characters in a string [duplicate]
Cannot log into Nord VPN
Purging performance-reducing tracker-extract caused other issues
Can I install c-ares 1.18.1 on Ubuntu 21.10
Where is the inittab file?
HPLIP Catch-22: Need IP to install printer / need to install to get IP
FTP restricted user umask - where is it?
Ubuntu Server 20.04 cloud-config adding user does nothing
Installing Nvidia 450 graphics driver in Ubuntu 20.04